HIPAA Compliance Checklist: What You Need to Know

The divide between what is required for compliance under HIPAA regulation and the misconceptions that healthcare professionals have about being compliant is more extensive than ever. When she was appointed in late 2015, Jocelyn Samuels, director of the Office of Civil Rights (OCR) announced her plan to start on a new wave of audits. Extensively reported upon, these Phase 2 audits are reaffirming that the over $10 million in fines levied against non-compliant Covered Entities (CE’s) and Business Associates (BA’s) seen in 2015 alone is set to become the norm, and perhaps even grow over the coming months.

Compliancy Group is here to make sure that you’re not the one being hit with these fines. We’ve compiled this HIPAA checklist to help guide you through some of the most often overlooked components of total HIPAA compliance, and to help ready you for this sweeping new series of audits that OCR has lined up.

First, let’s familiarize ourselves with some basic information regarding how to become HIPAA compliant.

Marc Haskelson, CEO of Compliancy Group comments that “The HIPAA regulations apply to all healthcare organizations whether large or small, Covered Entities, or Business Associates. It is provided to these organizations to secure protected health information in a organized manner. This organized management is contained in the The Seven Elements, and are the absolute bare minimum, non-negotiable skeleton of any compliance program.

HIPAA regulation has grown since its initial implementation in 1996, and now includes specific rules surrounding the use and dissemination of protected health information (PHI) and electronic protected health information (ePHI). Below, we’ll get into some of the particulars.

The HIPAA Compliance Checklist: The Privacy Rule

The HIPAA Privacy & Security Rule is a series of national regulations concerned with safeguarding patients’ PHI and medical records from unauthorized access. It gives patients the primary rights over their own health information. The rule applies to health plans, healthcare clearinghouses, and health care providers that make certain electronic healthcare transactions. These groups are required to have appropriate limitations and conditions on the use and disclosure of PHI.

Implement written policies, procedures, and standards of conduct: Ensure that you have written training standards as well as written penalties that employees are informed of in the case of a violation.

Have BA agreements in place: When conducting business with a BA, you need to ensure that you have comprehensive, up-to-date agreements in place to protect your firm from liability in the event that a BA breaches HIPAA regulation.

Data safeguards: Maintain administrative, technical, and physical safeguards to monitor use or disclosure of PHI.

Complaints procedures: Implement procedures where patients can file a complaint to the CE about its HIPAA compliance, and patients must be informed that complaints may also be submitted to HHS.

Retaliation and waiver: Retaliation can’t be taken out against a patient who exercises their rights under the Privacy Rule. Patients cannot be made to waive their Privacy Rule rights as a means of obtaining treatment, payment, or enrollment.

Documentation and record retention: Records of all privacy policies, privacy practice notices, complaints, remediation plans, and other documentation must be stored and accessible for six years after their initial creation.

Privacy personnel: Ensure that an appointed privacy officer is in place to develop and implement the rest of these privacy policies.

The HIPAA Compliance Checklist: The Security Rule

The HIPAA Security Rule outlines specific regulations that are meant to prevent breaches in the creation, sharing, storage, and disposal of ePHI. Since its adoption, the rule has been used to manage patients’ confidentiality alongside changing technology. And now, with the growing trends of cloud computing and online and remote document sharing, the protection of ePHI is becoming more important than ever.

These safeguards each require different standards that need to be implemented in order to be deemed fully compliant. The legal jargon that surrounds each safeguard and standard can be confusing, so we’ve broken them down into a simple, but comprehensive list below.

The HIPAA Security Rule Checklist: Administrative Safeguards

Administrative safeguards should be in place to establish policies and procedures that employees can reference and follow to ensure that they’re maintaining compliance. Each of these standards should be documented as a written policy, accessible to all employees so that they understand the necessary steps they should be taking to maintain patients’ confidentiality.

Standard 1. Security Management Process

Risk Analysis should be done to assess confidentiality of ePHI

Risk Management measures should be implemented to assess potential breaches in ePHI

Sanction Policies should be extended to employees who fail to comply with policies and procedures

Information System Activity Reviews should be in place so that system activity is regularly monitored

Standard 2. Assigned Security Responsibility

Security Responsibility should be assigned to an employee who can regularly monitor, develop, and maintain privacy policies and procedures

Standard 3. Workforce Security

Employees who are meant to deal with ePHI should undergo Authorization and Supervision

Workforce Clearance Procedures should govern who is and isn’t allowed access to ePHI

Termination Procedures should be in place so that employees who have left a practice can no longer have access to ePHI that they’ve previously had access to

Standard 4. Information Access Management

Clearinghouses that are part of larger organizations need to have properly Isolated Access to ePHI

Employees should be given Access Authorization depending on whether or not their role requires that they handle ePHI

Access to ePHI should be governed by strict rules for when and how it is granted, Established, or Modified

Standard 5. Security Awareness and Training

Security Reminders should be regularly communicated

Protection from Malicious Software should be a priority to prevent ePHI from being compromised

Log-in Monitoring should be in place to detect any unauthorized access to ePHI

Password Management should be implemented for creating, changing, and protecting employees’ passwords

Standard 6. Security Incident Procedures

Breaches and their ramifications need to have documented Response and Reporting procedures

Standard 7. Contingency Plan

A Data Backup Plan is required to ensure that there are ways to retrieve ePHI that has been lost because of a malfunction or a breach

Disaster Recovery Plans should be in place to ensure that any lost ePHI can be fully restored

Emergency Mode Operation Plans should be established so that employees can properly access and handle ePHI, while maintaining privacy, in the event of an emergency

Contingency procedures should be Tested and Revised on an ongoing basis to address faults or flaws

Contingency procedures should be go through Applications and Data Criticality Analysis to ensure that contingency plans are as streamlined as possible

Standard 8. Evaluation

The technical and non-technical elements of ePHI security should be regularly Evaluated, particularly when moving offices or changing operations

Standard 9. Business Associate Contracts and Other Arrangements

Written Contracts or Other Arrangements need to document that BAs will comply with all ePHI security measures.

The HIPAA Security Rule Checklist: Physical Safeguards

Physical safeguards should guide the creation of policies and procedures that focus on protecting electronic systems and ePHI from potential threats, environmental hazards, and unauthorized intrusion. And as is the case with administrative safeguards, each of these standards should be documented as a written policy, accessible to all employees so that they understand the necessary steps they should be taking to maintain patients’ confidentiality.

Standard 1. Facility Access Controls

Procedures should be in place to establish Contingency Operations plans that allow access to the physical office and stored data in the event of an emergency

A Facility Security Plan needs to be well established to protect equipment that stores ePHI from unauthorized access and theft

Access Controls and Validation Procedures should govern when, how, and to whom access to equipment is granted

Maintenance Records should document modifications to the physical facility such as renovations or changing doors or locks

Standard 2. Workstation Use

Workstation Use policies need to specify the use, performance, and physical attributes of equipment and workstations where ePHI is accessed

Standard 3. Workstation Security

Workstation Security should entail physical safeguards that govern who can access workstations and equipment where ePHI is accessible

Standard 4. Device and Media Controls

Disposal of hardware or equipment where ePHI has been stored needs to be strictly managed

Policies should be in place to determine how and when ePHI should be removed from equipment or electronic media before Re-use

Hardware and equipment that has access to ePHI should be Accountable and, if necessary, tracked

Data Backup and Storage procedures should entail the creation of exact copies of ePHI

The HIPAA Security Rule Checklist: Technical Safeguards

Technical safeguards are the last piece of the Security Rule. They’re meant to provide written, accessible, policies and procedures that monitor user access to systems that store ePHI.

Standard 1. Access Control

Employees should be granted Unique User Identification in the form of a username or ID number that can be used to identify and track system usage

Procedures should be in place that determine Emergency Access protocols and authorization

Systems that store ePHI should be built with an Automatic Logoff function after inactivity

Encryption and Decryption methods should be built into systems that store ePHI

Standard 2. Audit Controls

Audit Controls must regularly monitor, record, and store system usage and ePHI access

Standard 3. Integrity

In order to ensure that ePHI hasn’t been accessed, altered, or destroyed without authorization, a Mechanism to Authenticate ePHI should be built into the system

Standard 4. Person or Entity Authentication

Person or Entity Authentication needs to be in place to ensure that only authorized employees or users have access to certain data and ePHI

Standard 5. Transmission Security

Any ePHI that is transmitted electronically needs to be protected by Integrity Controls to ensure that it hasn’t been modified in the process

Any stored ePHI should be Encrypted

Where to Go From Here…

Even with this checklist in hand, the process of achieving full compliance is extensive–and that’s where Compliancy Group comes in.

Compliancy Group’s web-based compliance solution, The Guard, simplifies HIPAA compliance. It provides clients with a complete, web-based tool to achieve compliance, to illustrate this to the HHS and their patients, and to maintain that compliance through continued monitoring and support.

Compliancy Group is recognized as the industry leader in HIPAA compliance for healthcare professionals. The Guard has been endorsed by industry leaders such as Think About Your Eyes, the Telebehavioral Health Institute, Telehouse, eClinicalWorks, and AOAExcel.

Get a FREE HIPAA Checklist!

I consent to receive promotions, marketing, and emails, from Compliancy Group. I acknowledge that I can unsubscribe at anytime. For more information on how you we use your information, please visit our Privacy Policy.